tripleo

horizon is configured with Directory Options Indexes

Bug #1637576 reported by Andreas Karis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Andreas Karis

Bug Description

Some security scanners may complain that directory listings are enabled in tripleo based
deployments.

The default in apache::vhost is
~~~
cat /etc/puppet/modules/apache/manifests/vhost.pp
define apache::vhost(
(...)
  $options = ['Indexes','FollowSymLinks','MultiViews'],
(...)
~~~

I can change this in the templates with
~~~

parameter_defaults:
(...)
  controllerExtraConfig:
    horizon::vhost_extra_params:
      options : ['FollowSymLinks','MultiViews']
      priority: 10
      add_listen: false
~~~

but if directory listings aren't necessary, particularly because tripleo configures the /var/www directory as a "dummy directory".

The problem is that both /var/www/html and /var/www/cgi-bin can be listed:
~~~
[root@undercloud-6 ~]# curl http://10.0.0.4/cgi-bin/ | grep Index
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 1254 100 1254 0 0 24155 0 --:--:-- --:--:-- --:--:-- 24588
  <title>Index of /cgi-bin</title>
<h1>Index of /cgi-bin</h1>
[root@undercloud-6 ~]# curl http://10.0.0.4/html/ | grep Index
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 664 100 664 0 0 6154 0 --:--:-- --:--:-- --:--:-- 6148
  <title>Index of /html</title>
<h1>Index of /html</h1>
~~~

Revision history for this message
Andreas Karis (akaris) wrote :

Running another test to get rid of the docroot altogether as /var/www as docroot is not needed according to horizon documentation:
http://docs.openstack.org/liberty/config-reference/content/configure-dashboard.html

~~~
##### `docroot`

**Required**. Sets the [`DocumentRoot`][] location, from which Apache serves files.

If `docroot` and [`manage_docroot`][] are both set to `false`, no [`DocumentRoot`][] will be set and the accompanying `<Directory /path/to/directory>` block will not be created.
~~~

~~~
define apache::vhost(
  $docroot,
  $manage_docroot = true,
~~~

~~~
  controllerExtraConfig:
    horizon::vhost_extra_params:
      docroot: false
      manage_docroot: false
      add_listen: false
~~~

The end result removed any reference to /var/www
~~~
[root@overcloud-controller-0 ~]# cat /etc/httpd/conf.d/12-horizon_vhost.conf
# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost 172.16.2.9:80>
  ServerName overcloud-controller-0.localdomain
  ## Alias declarations for resources outside the DocumentRoot
  Alias /dashboard/static "/usr/share/openstack-dashboard/static"

  ## Logging
  ErrorLog "/var/log/httpd/horizon_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/horizon_access.log" combined

  ## RedirectMatch rules
  RedirectMatch permanent ^/$ /dashboard

  ## Server aliases
  ServerAlias overcloud-controller-0.localdomain
  WSGIDaemonProcess dashboard group=apache processes=3 threads=10 user=apache
  WSGIProcessGroup dashboard
  WSGIScriptAlias /dashboard "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi"
</VirtualHost>
~~~

Before, this created the following issue:
~~~
[root@undercloud-6 ~]# curl http://10.0.0.4/cgi-bin/ | grep Index
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 1254 100 1254 0 0 24155 0 --:--:-- --:--:-- --:--:-- 24588
  <title>Index of /cgi-bin</title>
<h1>Index of /cgi-bin</h1>
~~~
After, the issue is gone:

However, this will default to "PREFIX/htdocs/ where PREFIX is set when you build apache".
http://serverfault.com/questions/705169/how-to-disable-the-default-document-root-in-apache

So it may be preferrable to keep control over this value, keep it at /var/www, and simply disable the Indexes option

Andreas Karis (akaris)
Changed in tripleo:
assignee: nobody → Andreas Karis (akaris)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/391529

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Andreas Karis (<email address hidden>) on branch: master
Review: https://review.openstack.org/391529
Reason: didn't branch + typo

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/391550

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/391550
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0213ae9bd5596ca2be7d17e3294bec3791321b0f
Submitter: Jenkins
Branch: master

commit 0213ae9bd5596ca2be7d17e3294bec3791321b0f
Author: Andreas Karis <email address hidden>
Date: Thu Nov 17 19:30:11 2016 -0500

    Disable Options Indexes in horizon

    Security scanners complain that directory listings are enabled in horizon.

    Change-Id: I1d7cfcb3521e8235a99bc452f1b7b92c20ce72ac
    Closes-Bug: #1637576

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0b2

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.